Privacy and Passwords

Living Privately. - Building and maintaining a sense of what to show in each social environment. - Discovering and creating new environments in which we can show more of ourselves. - Assessing where you can grow new parts of yourself which aren’t (yet) for public display.

K12 classrooms–and most families–have bad password practices. Passwords for Google Classroom accounts are often derived from usernames. That password is then reused when signing up for other online accounts. This violates three of the most important rules of protecting online privacy and identity. From Krebs on Security:

Do not use your network username as your password.

Avoid using the same password at multiple Web sites.

Never use the password you’ve picked for your email account at any online site: If you do, and an e-commerce site you are registered at gets hacked, there’s a good chance someone will be reading your e-mail soon.

According to security experts, today the industry is dealing with a password reuse crisis. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr, VK.com, Fling and MySpace – bringing the total number of compromised accounts to more than 642 million.

“We know that attackers will go for the weakest link and that is any user who reuses their passwords. It’s a major problem,”

At most schools, student identities are protected by weak passwords trivially derived from usernames and reused everywhere. Once someone gets ahold of your email password, they can reset your passwords elsewhere and pwn your life. When you reuse passwords, a data leak on a forgotten site can be escalated into takeover of your email and your identity.

Good passwords

If you decide to use a password manager, these great little apps can generate really strong passwords for you whenever you need one. You can also use password generators on trusted websites, such as LastPass or Norton.

Follow these rules and you’ll get better passwords:

Make strong passwords that are at least 12 to 16 characters long.

Don’t use pet or family names.

Don’t use your address, Social Security number, birth date, or other personal information.

Never recycle or reuse a password— not even once.

Don’t let Chrome, Firefox, Safari, or any other browser save passwords for you.

Use password phrases (usually six or more words long) for the best security.

Include capital letters, numbers, and symbols if the app or site allows it.

Password managers

Password managers like LastPass and 1Password save all of your passwords safely in a vault and encrypt everything. That way, you have them all in one place, no one can accidentally discover them, and you can make really complicated passwords, because the manager will keep track of them (and remember them) for you. You use one master password to unlock the password manager, and it saves and encrypts your passwords either locally or on its site. Most of these applications also have crazy-awesome password creators that you can and should use to generate super-strong new passwords with one click— and the password app automatically saves them for you.

The penny first dropped for me just over 7 years ago to the day: The only secure password is the one you can’t remember. In an era well before the birth of Have I Been Pwned (HIBP), I was doing a bunch of password analysis on data breaches and wouldn’t you know it – people are terrible at creating passwords! Of course, we all know that but it’s interesting to look back on that post all these years later and realise that unfortunately, nothing has really changed.

The strength of most passwords is terrible. Then they get reused. Everywhere. That post was my own personal wakeup call; it was the very point where I observed that what we all needed to do was to “liberate ourselves from the tyranny of passwords”, as I said at the time, and that’s precisely what I did: I went and bought 1Password and I’ve been using it every single day since across all my devices.

I use 1Password to generate passwords. You can adjust the password recipe to accommodate any site’s password rules. Here’s the recipe I usually use.

That’s 50 characters of random, which makes for a good password. Most sites will accept 50 characters, but there are still plenty out there that balk at passwords over 8, 10, 15, or 20 characters in length. Banks, unfortunately, are known for their short password limitations (and crufty password advice). I start at 50 and work my way down. “Complexity is nice, but length is key.” Go for long passwords.

Update: The NIST recently announced new password rules that recommend sites allow a maximum length of at least 64 characters. 1Password updated its password generator to support a 64 character maximum.

When choosing a password manager, get one that runs on all of the devices you use. I’ve used 1Password for years. It offers iOS, Android, Windows, and Mac clients. It can sync your passwords between devices via iCloud or Dropbox. If you need to share passwords among family or team members, check out 1Password for Families or 1Password for Teams. My family uses 1Password for Families. In addition to personal vaults for everyone, we have a vault shared amongst the whole family for streaming video and audio accounts. My wife and I have a shared vault for bank, medical, insurance, and other household accounts. Having log in information for all joint accounts in a shared vault improves our family’s bus factor.

How passwords are stolen

There are simpler ways to get your password though. One is shoulder surfing, where someone watches over your shoulder as you enter your password on your computer or phone while you’re logging in on the bus or plane or at a café. Social engineering is another way that you can have your passwords stolen. Basically, social engineering involves attempts to con you into telling someone your passwords. The person conning you might call you and pretend that they’re tech support for Gmail, telling you that you have email stuck somewhere and they need your password to log in and free it up. They might know the names of your friends or colleagues, as well as their phone numbers and email addresses— all of which they can find online via social media sites like LinkedIn, Facebook, Twitter, and people-search sites. Malicious people can also use information they find about you on Facebook and other sites to correctly guess the answers to password-reset questions.

Threat model

Be realistic about your threat model. State-sponsored surveillance and hacking aren’t in the thread model of most families. Protect yourself from the much more real threat of phishing by using a password manager, unique passwords, and two factor authentication.

If only we talked about passwords, two-factor and updates as much as we do 0days and nation states. https://t.co/fyRdeIMcpy

Sharing passwords

Here’s one thing to know: if a teacher, boss, TSA agent, police officer, or anyone else tells you that you have to give them your password, you shouldn’t do it unless you know it’s against the law not to.

If you share an account with friends or family, do it the smart way. Don’t use a password that you use anywhere else. Treat the shared account like any account that can get attacked, but know that its security is weaker than that of an account that you have total control over because it has a shared password. Don’t connect that shared account to any other accounts; otherwise an attacker could use that connection to get into those accounts.

Surveillance, privacy, data ethics, and trust

“In the educational domain we see a lot of normalisation of designing computers so that their users can’t override them. For example, school supplied laptops can be designed so that educators can monitor what their users are doing. If a school board loses control of their own security or they have bad employees, there’s nothing students can do. They are completely helpless because their machines are designed to prevent them from doing anything.”

“We have this path of surveillance that starts with prisoners, then mental patients, refugees, students, benefits claimants, blue collar workers and then white collar workers. That’s the migration path for surveillance and students are really low in the curve. People who work in education are very close to the front lines of the legitimisation of surveillance and designing computers to control their users rather than being controlled by users,” Doctorow says.

Surveillance in education can also interfere with the educational process, he says, because “nobody wants to be seen fumbling. When you are still learning, you don’t want to feel like you are being watched and judged.” Doctorow adds that, due to their lack of power, students have limited options to take control of their learning and the digital tools they use.

“I talk to students, often younger students, who say they don’t worry about surveillance because they know how to block it out; they use a proxy or something else. But, first of all, those students can get in a lot of trouble for it. In America, they could actually be committing a crime and they could go to jail for it. It also doesn’t solve the overall problem; it only solves it for them. So I’ve often said to students that rather than breaking the rules, they document the absurdity of the rules and demand that adults account for it.”

“The censorware companies mostly work in the Middle East in repressive regimes who buy it on a mass scale to try to control the flow of information in their countries. Students should contact journalists, the school board and the parents’ association and ask why they are giving money that was meant to be for their education to war criminals who spy on us.”

Handing over data, often quite thoughtlessly, has become par for the course – in education and in society more generally. Although privacy expertshave urged parents and educators to be more proactive about protecting children’s data and privacy) – while using Pokémon Go and other data-hungry apps – we now live in a culture of surveillance, where data collection and data extraction have become normalized.

Many of us have become quite lackadaisical about the data we share. “It doesn’t matter.” “I have nothing to hide.” Schools, operating under longstanding mandates to track and to measure as much as possible, have been more than willing to expand the amount and types of data they’re collecting on students. Fears of FERPA are frequently stoked to stymy certain projects – perhaps unnecessarily in some cases – but schools have not always been cautious about who has access to student data.

Has our confidence that we or our students have “nothing to hide” changed now under President-Elect Trump?

“Big Brother is coming to universities,” The Guardian pronounced in January, although arguably this culture of surveillance has been a part of education for quite some time. But undoubtedly new digital technologies exacerbate this. The monitoring of students is undertaken to identify “problem behaviors” and in turn to provide a revenue source for companies willing to monetize the data they collect about all sorts of student behaviors. “Enabled by Schools, Students Are Under Constant Surveillance by Marketers,” as the National Education Policy Center cautioned in May.

Under surveillance by marketers. Under surveillance by companies. Under surveillance by schools. Under surveillance by police. Under surveillance by governments. Under surveillance by gadgets. Under surveillance when they use school software. Under surveillance when they use social media. And again, it’s all justified with a narrative about “success” and “safety.”

Recently on my Microblog: rnbn

We have basically told these companies that the smart thing to do, the shareholder thing to do, is to lie and to break the law. Now technology is 99% about shareholder value and 1% about the betterment of humanity. The markets are failing. Source: Scott Galloway Says Amazon, Apple, Facebook, And Google should be broken […]

…find a love for identity politics…so that we can draw battle lines between those who want shame to grow on trees and those who want to overcome it. Source: Video Episode 310: Live from the New York Comedy Festival 2018 @58:30 | Harmontown Insightful monologue on shame and vulnerability starting @51:00. Shame is not a […]

Along with phrases appropriated directly from the so-called alt-right, a small group of neotraditionalist educators have invented the concept of ‘school shaming’ to make their reactionary politics seem, well, less reactionary. Criticize a school for how it treats students, and you’re ‘school shaming’. Talk about structural racism and curriculum, and you’re playing ‘identity politics’. Oppose […]

“Any authority within the space must be aimed at fostering agency in all the members of the community. And this depends on a recognition of the power dynamics and hierarchies that this kind of learning environment must actively and continuously work against. There is no place for shame in the work of education.” Source: Dear […]

Most cyborgs are disabled people who interface with technology. We depend on a computer for some major bodily function. The tryborg – a word I invented – is a nondisabled person who has no fundamental interface. The tryborg is a counterfeit cyborg. The tryborg tries to integrate with technology through the latest product or innovation. […]

A great example of how to check that you are accommodating diverse learners was shared in the Panel at the end of the conference: Walk through your learning environment as different personas (think different ethnicities, students in wheelchairs, someone with ASD etc.) and see how inclusive it is. Do the spaces allow for you to […]

The irony of turning schools into therapeutic institutions when they generate so much stress and anxiety seems lost on policy-makers who express concern about children’s mental health. Source: ClassDojo app takes mindfulness to scale in public education | code acts in education